From f8c8fbcab13df73c9ac9fa180db8bebcac74341a Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Wed, 10 Feb 2021 05:13:25 +1100
Subject: [PATCH] Added Audit Policy Config based Logging Impairment (#1378)

* Added Audit Policy Config based Logging Impairment

Auditpol can be used to manipulate audit log configuration.  Test 3 simulates the adversary disabling certain audit policies to prevent respective events from being recorded in the log

* Add link, update test name

Adding in the Solarigate write-up link for reference and also removing the test # from the title (this gets added automatically to the Markdown file)

* added cleanup commands

Hi Carrie, The pre-req commands enables the auditpols initially so that it can be disabled when the atomic command is executed.  I have copied the same syntax as pre-req to clean-up so it is reinstated. Based on additional research I have several more commands of interest I would like to add which were not part of the MS article but would be considered suspicious.  Shall I add them as separate tests? i.e. sub-commands such as clear, restore, remove

* Removed the dependency section

Removed the dependency section

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.002/T1562.002.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml
index 7b8c7b9b..bd006f32 100644
--- a/atomics/T1562.002/T1562.002.yaml
+++ b/atomics/T1562.002/T1562.002.yaml
@@ -40,3 +40,22 @@ atomic_tests:
       Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
     name: powershell
     elevation_required: true
+- name: 'Impair Windows Audit Log Policy'
+  description: >-
+    Disables the windows audit policy to prevent key host based telemetry being
+    written into the event logs.
+    
+    [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      auditpol /set /category:"Account Logon" /success:disable /failure:disable
+      auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
+      auditpol /set /category:"Detailed Tracking" /success:disable
+    cleanup_command: |
+      auditpol /set /category:"Account Logon" /success:enable /failure:enable
+      auditpol /set /category:"Detailed Tracking" /success:enable
+      auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
+    name: command_prompt
+    elevation_required: true